On July 24, 2020, the Federal Reserve Board finalized a rule that, among other things, implements changes to its rules for the disclosure of confidential supervisory information (CSI). According to the Fed, the final rule is generally similar to its proposal from June 2019, with a few changes in response to public comments.
By way of background, the Fed regulations (12 CFR § 261.2) define CSI as (i) information consisting of reports of examination, inspection, and visitation; confidential operating and condition reports; and any information derived from, related to, or contained in such reports; (ii) information gathered by the Fed in the course of any investigations; suspicious activity reports; cease-and-desist orders; civil money penalty enforcement orders; suspension, removal, or prohibition orders; or other orders or actions under applicable banking laws; and (iii) any documents prepared by, on behalf of, or for the use of the Fed, a Federal Reserve Bank, a federal or state financial institution’s supervisory agency, or a bank or bank holding company or other supervised financial institution. CSI does not include final orders, amendments, or modifications of final orders, or other actions or documents that are specifically required to be published or made available to the public pursuant to applicable law, including the record of litigated proceedings and the public section of Community Reinvestment Act examination reports.
In response to the June 2019 proposal, many commenters on the proposal were concerned with the overly broad definition of “confidential supervisory information” in the proposed rule. Commenters specifically focused on the scope of the term in relation to documents prepared by or for a financial institution for its own business purposes. Commenters were concerned that any document that was prepared by or for the supervised financial institution for its own business purposes and that was in its possession would be CSI regardless of its content if the document was also “created or obtained in furtherance of the Board’s supervisory, investigatory, or enforcement activities.” The Fed agreed with the commenters that the proposed definition was not sufficiently clear with respect to documents that are prepared by or for a financial institution for its own business purposes and that are in the institution’s possession. Accordingly, the Fed revised the definition as follows: “Confidential supervisory information does not include documents prepared by or for a supervised financial institution for its own business purposes that are in its own possession and that do not include confidential supervisory information as defined … [herein], even though copies of such documents in the [Federal Reserve Board’s] … possession constitute confidential supervisory information.” The Fed’s subtle changes to the definition of CSI in response to the commenters now make it clear that documents that are prepared by (or for) the subject financial institution for its own business purposes, that are in its possession, and that do not include CSI are not considered CSI under the revised definition, even though copies of such documents may be in the Fed’s possession.
The Fed’s final rule also made significant changes to its regulation governing the disclosure of CSI. For example, the final rule allows financial institutions to share CSI with all affiliates rather than only with their parent bank holding companies. The Fed also adopted a revised standard for the sharing of CSI that will permit a Fed-supervised institution to disclose CSI with its directors, officers, and employees “when necessary or appropriate for business purposes,” and the Fed included a similar standard permitting disclosures to the institution’s outside legal counsel and auditors where the disclosures are “necessary or appropriate in connection with the provision of legal or auditing services.” In addition, the Fed’s final regulation makes important modifications to its rules governing disclosures to third-party service providers:
- The final rule eliminated the Fed’s previous regulatory requirement that outside legal counsel and auditors view CSI only on the premises of the supervised institution and also removed the provision of the proposed rule that would have conditioned disclosures to legal counsel and auditors on their executing specific written agreements with respect to their use of CSI.
- The final rule also eliminated the requirement that financial institutions obtain prior Fed approval to disclose CSI to their other service providers, such as consultants, contractors, and contingent workers. Under the final rule, the authority for disclosure of CSI to such other service providers is subject to, among other requirements, the existence of a contract with a service provider for the provision of services, a determination that the disclosure to a specific service provider is necessary to the provision of the services, and the service provider’s execution of a written agreement with the financial institution regarding its use of CSI.
The final rule is effective 30 days after publication in the Federal Register. The full text of the Federal Register Notice can be found at this link.